Decision 046/2019: Names of offenders who have breached home detention curfews

Public authority: Chief Constable of the Police Service of Scotland
Case Ref: 201801521

Summary

Police Scotland were asked for the names and dates of birth of offenders who had breached home detention curfews and were "unlawfully at large". Police Scotland withheld the information under the exemption for third party personal data.

The Commissioner found that Police Scotland were entitled to withhold this information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a) and (5) (definitions of the "data protection principles", "data subject", "the GDPR", "personal data" and "processing") (Personal information)

General Data Protection Regulation (GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 10 (Processing of personal data relating to criminal convictions and offences)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3) and (4)(d) (Terms relating to the processing of personal data); 10(4) and (5) (Special categories of personal data and criminal convictions etc data); 11(2) (Special categories of personal data etc: supplementary)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. This decision considers home detention curfews (HDCs). HDCs came into use in Scotland in 2006. They allow prisoners, mainly serving shorter sentences, to serve up to a quarter of their sentence on licence in the community, while wearing an electronic tag. The licence includes a range of standard conditions and a curfew condition that requires prisoners to remain at a particular place for a set period each day. Prisoners who fail to comply with the curfew or other licence conditions can be recalled to custody.[1]

2. On 17 July 2018, Mr G made an information request to the Chief Constable of the Police Service of Scotland (Police Scotland). Among other requests which did not form part of his application, he asked for the names and dates of birth of all offenders who had breached HDCs and were currently "unlawfully at large".

3. Police Scotland responded on 13 August 2018. They withheld the names and dates of birth under section 38(1)(b) of FOISA (Personal information).

4. Later that day, Mr G wrote to Police Scotland requesting a review of their decision. He acknowledged that there was a data protection exemption in FOISA, but believed a public interest test was required. He commented that there was a public interest in disclosing the names and dates of birth of the offenders as "these are convicted criminals who are still being pursued by police".

5. He noted that Police Scotland have previously released details of individuals who are unlawfully at large in press releases, and argued that if data protection did not apply to that information, it should not apply to a freedom of information request either.

6. Police Scotland notified Mr G of the outcome of their review on 4 September 2018. They upheld the exemption in section 38(1)(b) of FOISA, this time explaining that disclosure was likely to breach the data protection principle which requires processing to be fair and lawful.

7. Police Scotland commented that they had obtained the data for specified, explicit and legitimate purposes and that any further processing must be compatible with those purposes, e.g. necessary for law enforcement process. Disclosing the data in response to a request under FOISA would be incompatible with these purposes.

8. On 12 September 2018, Mr G applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr G was dissatisfied with the outcome of Police Scotland's review for the reasons he had expressed when making his request for review to Police Scotland.

Investigation

9. The application was accepted as valid. The Commissioner confirmed that Mr G made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. Police Scotland were invited to comment on this application and answer specific questions.

11. Mr G also provided comments and information to assist the Commissioner's investigation.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all the relevant submissions, or parts of submissions, made to him by both Mr G and Police Scotland. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA (Personal information)

13. Police Scotland withheld the names and dates of birth of the offenders who had breached HDCs and who were "unlawfully at large" under section 38(1)(b) of FOISA.

14. In this case, Police Scotland applied the exemption in section 38(1)(b) read with section 38(2A)(a). Under this exemption, information is exempt from disclosure if it is personal data and disclosure would breach any of the data protection principles in the GDPR or in the DPA 2018. (This particular exemption is not subject to the public interest test in section 2(1)(b) of FOISA.)

Is the information personal data?

15. The first question the Commissioner must address is whether the information Mr G has requested is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual.

16. The Commissioner's briefing on section 38 (Personal Information)[2] notes that the two main elements of personal data are that:

• the information must "relate to" a living person; and
• the person must be identified - or identifiable - from the data or from the data and other information.

17. Information will relate to a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

18. An "identifiable living individual" is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018).

19. Police Scotland argued that disclosing the names and dates of birth would identify living individuals. Even if individuals could not be identified from the names and dates of birth alone, Police Scotland also had to consider the efforts individuals might make to identify individuals from other information. Police Scotland commented:

"[It is] not beyond the realms of possibility that the applicant could use available social media to assist in doing so as many individuals (regardless of whether having been convicted for a criminal offence and released on HDC) have accounts which are not disabled upon receipt of a custodial sentence."

20. Having considered the arguments made by Police Scotland and the subject matter of the request, the Commissioner is satisfied that the names and dates of birth of the offenders is personal data. The information clearly relates to living persons and is capable of identifying them, directly or indirectly.

Criminal offence data

21. Information relating to criminal convictions and offences is given special status in the GDPR: Article 10 makes it clear that the processing of this type of personal data can be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of the data subjects.

22. Section 11(2) of the DPA 2018 makes it clear that proceedings for an offence committed by a data subject or the disposal of such proceedings, including sentencing, is criminal offence data. Within the context of his request, the personal data Mr G has asked for falls within this definition.

23. Criminal offence data can only be processed if one of the stringent conditions in Parts 1 to 3 of Schedule 1 to the DPA 2018 can be met (section 10(5) of the DPA 2018).

24. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.

25. The Commissioner has considered each of these conditions and whether any of them could be relied on to disclose the criminal offence data. Having done so, and having taken into account the restrictive nature of the conditions, he considers that they could not.

26. The Commissioner accepts that Police Scotland has previously disclosed the names of some individuals who are unlawfully at large and have published their details to make the public aware that they are wanted by the police. There are conditions in Schedule 1 to the DPA 2018 which allow Police Scotland to do this: for example, paragraph 10(1) of Part 2 of Schedule 1 to the DPA 2018 allows Police Scotland to process criminal conviction data if the processing is necessary for the purposes of the prevention or detection of an unlawful act and the processing is necessary for reasons of substantial public interest, etc.

27. However, this is not the same as a wholesale disclosure of names and dates of birth into the public domain, which is the effect of disclosure under FOISA. It is reasonable to assume that any previous decision to disclose details of some individuals has been taken after an assessment of all factors relevant to the specific case and in line with the relevant legal tests.

28. As noted above, Police Scotland argued that disclosure would breach the data protection principle (Article 5(1)(a) of the GDPR) which requires that personal data shall be processed lawfully and fairly. As none of the conditions required for processing personal data are satisfied, there can be no legal basis for its disclosure.

29. Consequently, the names and dates of birth of the offenders is exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that the Chief Constable of the Police Service of Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr G.

Appeal

Should either Mr G or Police Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
15 March 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

….

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" … have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) … of that Act);

…

General Data Protection Regulation

5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

…

10 Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority of when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to section 14(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier, such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

…

(d) disclosure by transmission, dissemination or otherwise making available,

…

10 Special categories of personal data and criminal convictions etc data

…

(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

…

11 Special categories of personal data etc: supplementary

…

(2) In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to -

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

---